Review of the Access to Information Act (ATIA)

Submission of the Office of the Privacy Commissioner of Canada to the President of the Treasury Board

---

VIA EMAIL

February 17, 2021

The Honourable Jean-Yves Duclos, P.C., M.P.
President of the Treasury Board
90 Elgin Street
Ottawa, Ontario K1A 0R5
President@sct-tbs.gc.ca

Dear Minister Duclos:

Thank you for the invitation to provide input at this early stage of the statutory review of the Access to Information Act (ATIA). We strongly support the government’s objective of greater openness and transparency and are pleased to participate in the deliberations on how best to achieve that important objective in the interest of Canadians.

There is no doubt that technology and data have brought about benefits for society. A data-driven society relies heavily on open data, data analytics, and artificial intelligence in order to achieve its important policy objectives and enrich our society. Open data and open government policies significantly contribute to government accountability, the development of programs and public policy, service delivery, and scientific research and discovery.

The pandemic in particular has made clear the importance of open data and technology in addressing a public health crisis and its many social and economic consequences. The federal government’s open data portal on COVID-19 hosts a trove of datasets, statistics, and other public sector data, all shared to help support response and recovery.^{Footnote 1} Statistics Canada too has published valuable disaggregated data for diverse population groups, with a focus on COVID-19.^{Footnote 2} This shows that open government can, and does, serve the public interest, and that it is possible to have open government while respecting privacy rights.

The ATIA and the Privacy Act both play a central role in preserving our information rights as our society becomes increasingly digital. Both laws are essential to fostering a more open, transparent government and upholding the tenets of democracy. Canada’s access to information regime can ensure that Canadians have open, accessible and trustworthy information from government in this digital age, and where personal information is at stake, Canada’s privacy laws limit the circumstances under which that information can be disclosed or released.

We need modern laws for both access and privacy in order to enable the benefits of drawing value from data while also preserving our democratic values and the protection of our rights in a digital environment. We support the government’s objective of modernizing Canada’s access laws to facilitate greater openness and transparency, but also emphasize that it is important for the right to privacy to not be further weakened by this reform. It is promising in that regard that the government is concurrently proceeding with its work on the modernization of the Privacy Act.

This upcoming review of the ATIA is indeed a good opportunity to discuss how to promote the openness and transparency of government, while carefully examining the issues at the intersection of both the ATIA and the Privacy Act. There are similar provisions throughout both statutes. There are also concepts and interpretations that are relevant to both Acts, including the definition of personal information, publicly available, and public interest exceptions, for example. We note that the Department of Justice has indicated that it will factor in the comments received during the review of the ATIA when it undertakes its review of these aspects in the Privacy Act. We are hopeful that the ongoing reviews the ATIA and the Privacy Act will present an opportunity for both ministers to address the interplay between the ATIA and the Privacy Act through concurrent amendments, including the exemptions and the other common provisions.

What follows in the submission below are key issues to consider in this more substantive review of the ATIA. First, we will raise some privacy considerations relevant to open data and open government priorities. Second, we will emphasize the importance of restoring appropriate weight to privacy within the code of informational rights. Third, we will comment on the complexities posed by the digital age on key concepts relevant to both access and privacy law. Fourth, we will address considerations for a review of exemptions and the scope of both the ATIA and the Privacy Act. Finally, we will discuss more specific challenges related to the exemption provisions applicable to Office of the Privacy Commissioner’s operational activities.

1) Canadians deserve both privacy and an open government

The federal government is looking at a number of ways to increase digitization and open government. This includes initiatives to promote data-driven decision-making, greater data sharing and making data more accessible. It is increasingly turning to data analytics as well as AI and machine learning in order to deliver government services, to realize efficiencies and to identify and resolve problems. The government is also an important data source, and there is growing demand for access to the data generated through the delivery of government services both from within and from outside government.

As we seek to understand all the benefits of a data-driven society, it is important to remember that a great deal of the data that is produced by modern technologies is about real people. As Professor Shoshana Zuboff has pointed out, when we use terms like “data” it is easy to lose sight of the fact that some of the most valuable data are about people and our individual experiences.^{Footnote 3} Behavioural data are extremely sensitive because it is about our experiences, our health, our habits and preferences, our movements and connections, all of which is deeply personal and intimately linked to who we are as individuals. It is in this context that the government needs to be mindful that as it increases efforts to make data more available, it also has a responsibility to protect the vast amount of personal information in its possession.

There is a lot of good that can come from open data and open government initiatives without releasing personal information. The benefits of drawing value from data should certainly not come by ignoring privacy or giving it a secondary role as a suggested best practice that can be too easily set aside to achieve other goals.

Privacy and open government can be achieved together. In fact, digital and open government initiatives require trust that privacy will not be unduly infringed or that personal information will not be inadvertently disclosed. As the Supreme Court has recognized, in the event of a conflict between access and privacy rights, privacy must ultimately prevail. The Privacy Act, with its limited exceptions, is what must guide determinations about whether personal information may be disclosed under access laws in certain circumstances.

In some instances, if done correctly, de-identification can be a useful privacy-enhancing technique to provide the flexibility needed to protect privacy while allowing for responsible innovation or the provision of digital services. However, releasing datasets containing even de-identified information can come with notable risks. Technology has reached the state of sophistication that makes it easier to take information that does not expressly identify an individual, and analyze and combine it with other sources of information to allow for re-identifying the data. This is why it is vital that de-identified information not fall entirely outside the scope of privacy laws, given the persistent risk of re-identification. There are no easy solutions for these challenges, but they will no doubt be a central theme for the review of Canada’s privacy and access laws.

Facilitating greater access to data and an open government is indeed a worthwhile objective, but is also not without its operational challenges. Proactive disclosures under the ATIA should aim to alleviate the burden of processing ATIA requests. Yet, the increased pressure and requirements to proactively disclose information and make data more available also come with considerable resource pressures that are worth noting. Under the Privacy Act, we generally encourage the use of informal mechanisms for providing individuals with access to their own personal information held by government, especially where they achieve the goal of providing an individual with appropriate access in a resourceful and efficient way. Along these lines, the upcoming ATIA review could also consider how the ATIA could provide incentives for proactive or informal disclosures, where appropriate, provided there are clearly defined parameters and the disclosure of personal information is not at risk. It may be worthwhile to explore how proactive disclosure could go along with a corresponding reduced burden pertaining to formal access requests for the same information.

Recommendations:

• Open data and open government is possible while at the same time respecting privacy and protecting personal information. Where personal information is implicated in implementing open government, privacy law must apply. In the event of a conflict, it is necessary to start from the recognized principle that privacy rights take precedence over access.
• Rules and criteria governing the use or disclosure of de-identified information should be addressed under the review of the Privacy Act. For example, there must be clear parameters around its use as it relates to proactive publication, which should be set out in privacy law.
• TBS may also want to explore how to incentivize the use of proactive disclosures within these parameters, while also reducing the burden related to formal access requests for the same information.

2) Restoring appropriate weight to privacy

The ATIA and Privacy Act have long been considered to be a “seamless code” of informational rights, the combined purpose of which is to carefully balance both privacy and access.^{Footnote 4} Since their enactment on July 1, 1983, the rights protected by both Acts have been considered of the highest importance in the functioning of a modern democratic state. Their origin and the interpretations that have emerged from Federal Court over the years demonstrate how the two laws work together to ensure the values underpinning both, access to information and privacy, can co-exist and provide rules and criteria to govern the interplay between the two laws.

Both the ATIA and the Privacy Act are quasi-constitutional. The right of access promotes accountability by government for its decision-making, and also serves the function of providing access to the extensive information about our society in the possession of government.^{Footnote 5} The Privacy Act equally gives individuals a right of access to the information about them held by government institutions, but it also places limits on the government's ability to collect, use and disclose their personal information.

Privacy is recognized internationally as a human right, and in Canada, the Charter of Rights and Freedoms also protects privacy both by virtue of the "liberty interest" in section 7 and the prohibition against unreasonable search and seizure set forth in section 8.^{Footnote 6} At its core, privacy is a cherished Canadian value that is deeply rooted in a tradition of human rights, and is a necessary precondition to the exercise of other fundamental rights, including freedom, equality and democracy.

While privacy and the right of access to information held by the government have a strong relationship, Parliament and the courts have made it clear that the right of access must cede to other interests in certain circumstances, with the protection of personal information being one of the most important exceptions to the right of access.^{Footnote 7} The Supreme Court of Canada has stated: "The right of access to government information, while an important principle of our democratic system, cannot be read in isolation from an individual's right to privacy.”^{Footnote 8} While both privacy and access rights must be protected, “by including a mandatory privacy exemption in the ATIA itself, Parliament ensured that both statutes recognize that the protection of personal information is paramount over the right of access, except as prescribed by law.”^{Footnote 9} The combined purpose of the two Acts is to protect both privacy and access rights and strike a careful balance between the two. Given this relationship, changes to one Act must necessarily take into account the other.

The goal of Bill C-58 was to bring about important improvements to the openness and transparency of government. Yet, arguably, it may have also disrupted the equilibrium between privacy and access laws in Canada.

Part of the historic balance lies with the fact that the commissioners have had equal powers. The Information Commissioner has the primary mandate to promote access, yet, she now also has the power to order disclosure of personal information. By granting order-making powers to the Information Commissioner, including in respect of personal information, Bill C-58 potentially gave access some degree of pre-eminence over privacy. This is contrary to what the courts have maintained, and also what Parliament envisaged when privacy and access laws were enacted in Canada.

Understanding that the objective of this review is to modernize Canada’s access laws with an emphasis on transparency and open government, it should also endeavour to take a more holistic view of both Acts and their underlying policy aims. It is promising in that regard that the government is proceeding with its work on modernization of the Privacy Act, and we are hopeful that this will present an opportunity for both ministers to address the interplay between the ATIA and the Privacy Act through concurrent amendments.

Recommendations:

• This upcoming reviews of both the ATIA and the Privacy Act should take into account the need to restore the intent of the seamless code of informational rights, the combined purpose of which is to carefully balance both privacy and access. Ideally, the second round of amendments to the ATIA should occur at the same time as the proposals to modernize the Privacy Act, so that the interplay between the two laws is addressed concurrently.
• If concurrent amendments are not possible, the government needs to be vigilant not to let further changes to the ATIA place added pressure on our already outdated federal privacy laws.

3) The review should consider the complexities of the digital age, and its effect on the interpretation of concepts relevant to both access and privacy law.

There is a high degree of intersection between the Privacy Act and the ATIA in terms of interpretation of concepts relevant to both access and privacy law. Given this, discussions around concepts relevant to both access and privacy law, and in particular on concepts of de-identification, identifiability and publicly available, and the scope of what is considered personal information, may arise in the context of the upcoming ATIA review. Another area is the balancing of competing interests that occurs for public interest disclosures. Given these concepts are relevant to both Acts, they should be studied under both the review of the ATIA and the review of the Privacy Act concurrently, but they should not be amended until both Acts are examined.

Since both the ATIA and Privacy Act were first enacted, digital technologies have evolved rapidly and in ways we could have not foreseen. The data-driven era is defined by the vast amounts of data that are created, linked and shared every day.

Subsection 19(1) of the ATIA contains a general prohibition on the disclosure of “personal information” as it is defined by section 3 of the Privacy Act, subject to three limited exceptions allowing for disclosure of personal information under paragraphs 19(2)(a) - (c) of the ATIA, for the following reasons:

1. the individual to whom it relates consents to the disclosure;
2. the information is publicly available; or
3. the disclosure is in accordance with section 8 of the Privacy Act, including for public interest disclosures.

The digital age, however, adds a great deal more complexity to these assessments than there was when the ATIA and Privacy Act were first enacted. Now in the 21^st century with so much of our everyday activities in the digital sphere, it may not be so apparent when personal information online is “publicly available.” One example of this that is often debated is whether data posted on social media is publicly available. Modern technologies also produce metadata, make inferences, track patterns about our daily activities and habits, which can raise questions about when something is, or is not, personal information. Sophisticated techniques now exist to re-identify datasets raising questions about when personal information is truly de-identified. We also now live in a time where we share more data about ourselves and evolving technologies make it easier to collect, analyze, and disseminate information about us, but that should not mean that our reasonable expectations of privacy necessarily shrink.^{Footnote 10} Even in instances where personal information may be publicly available, an individual may still retain a privacy interest in that information that could be compromised by disclosure of government held records.

These are all difficult and multifaceted questions on their own, and are the very questions on which the Office of the Information Commissioner (OIC) and OPC might have different views given our different mandates.

Identifiability

Drawing from jurisprudence in the federal public sector,^{Footnote 11} we are of the view that the definition of personal information must be given a broad and expansive interpretation. The quasi- constitutionality of the ATIA and the Privacy Act requires that rights are to be interpreted broadly and exceptions to that right should be narrow and specific. We also take the view that the legal test for the concept of “identifiability” should be as set out by the Federal Court in Gordon v. Canada: “information will be about an ‘identifiable individual’ where there is a serious possibility that an individual could be identified through the use of that information, alone or in combination with other information.”^{Footnote 12} The OIC has suggested that the test set out in Gordon v. Canada (Health) is not workable in all contexts and scenarios, and it has recommended further legislative clarity.^{Footnote 13}

While we believe the test set out in Gordon is relevant in the digital age, we are open to the potential for further clarity, provided that it contributes to Gordon in a way that ensures consistent application to better protect individual privacy. One of the main things that has changed since the ATIA and the Privacy Act were first enacted is that modern technologies have made it much easier to access other information and link datasets together, potentially making information that may initially seem innocuous or non-personal, actually very revealing. This is possibly an area that could benefit from further legislative clarity.

A contextual assessment of what is identifiable, or on the other hand, what is sufficiently de-identified, should play a central role in these assessments. A contextual assessment should, for example, take into consideration things like the value of the information, the visibility of the individual, as well as recognition of the risk that people with access to other data or powerful technological capacities may have the ability to re-identify the information.

Publicly Available

The term “publicly available” is not defined in either Act, yet it forms the basis for an exception allowing for disclosure of personal information under the ATIA. In response to the Department of Justice’s technical engagement on Privacy Act modernization, the OIC and other institutions suggested that a definition of “publicly available” should balance the dual objectives of providing access and protecting privacy.^{Footnote 14}

The Department of Justice, in its online public consultation discussion paper on the modernization of the Privacy Act^{Footnote 15} proposes setting out an updated framework for publicly available personal information. It suggests a modernized Act could define personal information as being “publicly available” in three instances:

1. when it has been made manifestly public by the individual the information relates to;
2. when it is broadly and continuously available to all members of the public and the individual has no reasonable expectation of privacy in the information; and
3. when another act of Parliament or a regulation requires the information to be publicly available.

The discussion paper also suggests eliminating the current exclusion under subsection 69(2) so that all the Act’s rules would apply to publicly available personal information. At the same time, it proposes adding provisions to permit the use and disclosure of such information in specific cases, along with a related exception to the right to have personal information collected directly from the individual.

It is encouraging that the Department of Justice is proposing to more clearly define and regulate ‘publicly available’ personal information, as opposed to excluding it from the use and disclosure requirements of Privacy Act. While the Department of Justice’s proposals in this regard contain some common elements with recommendations we made in our submission during the technical engagement on Privacy Act modernization,^{Footnote 16} we also emphasized other important considerations such as the importance of context and consideration for the capabilities of the technology. There should also be some recognition that, depending on the circumstances, individuals may still have a privacy interest in information that may otherwise be deemed or perceived as “publicly available.” We have recommended that the Privacy Act include a definition of “publicly available personal information” which considers context, the reasonable expectation of privacy, accessibility of information, including with new technologies, and the collecting organizations’ obligations for accuracy, currency and completeness.

The contextual approach we proposed is also consistent with the findings of R. v. Jarvis, in which the Supreme Court of Canada noted that it is important to “consider the capabilities of a technology in assessing whether reasonable expectations of privacy were breached by its use.”^{Footnote 17} While the Court repeatedly emphasized the fact that its decision in Jarvis was limited to facts involving surveillance or recording, we are of the view that a contextual approach to the assessment of the presence or absence of a reasonable expectation of privacy is useful to the analysis of the concept of “publicly available information.”

“Unjustified invasion of privacy test” and Public Interest Override

There are also tensions created by the exception under paragraph 19(2)(c) of the ATIA, which provides an exception to the general prohibition on the disclosure of personal information when the disclosure is in accordance with section 8 of the Privacy Act. The tension most notably exists in relation to discretionary disclosures that are fact-specific and may require a delicate balancing of competing interests, in particular for public interest disclosures under section 8(2)(m) of the Privacy Act.

As previously mentioned, Canadian jurisprudence has stressed the importance of privacy, even over access. The Supreme Court of Canada in H.J. Heinz Co. of Canada Ltd. v. Canada (Attorney General)^{Footnote 18} and Dagg^{Footnote 19} has maintained that both Acts are meant to afford a greater emphasis on the protection of personal information than permitting access. The Courts have noted that despite the ATIA’s disclosure exceptions contained in section 19(2) of the Act, the general prohibition against disclosure of personal information is supported by the mandatory nature of section 19(1). In line with this, we noted in our statements on Bill C-58 that the careful balancing of access and privacy is based on a number of factors, including the definition of personal information; the fact that the personal information exception in the ATIA is mandatory rather than discretionary; and the wording of the current public interest exception, which requires that the public interest in disclosure "clearly outweigh" privacy invasions in order to prevail.^{Footnote 20}

In the submission by the OIC to the Department of Justice on Privacy Act modernization, there were two related recommendations made for amendments to section 19 of the ATIA, and the corresponding exemption for personal information under section 26 of the Privacy Act. The first is an exception that would provide the head of an institution with the discretion to disclose information when doing so would not constitute an "unjustified invasion of a person's privacy,'^{Footnote 21} referring to Ontario and other provinces as a model.

In our submission to Standing Committee on Access to Information, Privacy and Ethics during its study of the Privacy Act in 2016, we signalled concern about the approach of adding a more general injury test to assess where there may be ‘unjustified invasions of privacy.’^{Footnote 22} We noted that the Privacy Act already permits the disclosure of personal information where, in the opinion of the head of the institution, the public interest clearly outweighs any invasion of privacy that could result from the disclosure. In our view, this protects the privacy rights of third party individuals and strikes the right balance between privacy and access.^{Footnote 23}

The second recommendation by the OIC was for an exception that would give the head of an institution the discretion to disclose personal information to a spouse or close relative about a deceased person for compassionate reasons, as long as the disclosure is not an unreasonable invasion of the deceased's privacy. On this aspect, we would agree there is some merit in explicitly adding compassionate grounds to add clarity to the disclosures contemplated by 8(2)(m)(ii) of the Privacy Act.

Additionally, while the ATIA does not currently contain a general public interest override, the OIC has recommended that the Act include one, and that it be applicable to all exemptions, with a requirement to consider a non-exhaustive list of factors.^{Footnote 24} In its recent discussion paper on modernization of the Privacy Act^{Footnote 25} the Department of Justice makes a related proposal to reorient the approach for public interest disclosures under the Privacy Act and the ATIA. It proposes to remove the current public interest disclosure provisions under 8(2)(m) of the Privacy Act, and suggests that a public interest rationale justifying greater use, sharing and access to personal information might be better reflected under entirely new provisions in the Privacy Act, and in the ATIA.^{Footnote 26}

Insofar as such considerations may form part of this statutory review of the ATIA, we note that we see there being merit in more clearly defining the exceptional situations where personal information might be disclosed in the public interest. We would be open to adding greater legislative clarity regarding factors to consider in defining what constitutes the public interest, so long as the specific criteria outlined in the statute do not diminish the basic principle that whatever the purported public interest, it must clearly outweigh any invasion of privacy to justify any disclosure. To the extent the criteria provide clarity on this assessment, they could be very helpful to organizations, and could provide important safeguards against unwarranted disclosure of personal information that is currently absent from the law.

Consultations between OIC and OPC

In its recent discussion paper on modernization of the Privacy Act^{Footnote 27} the Department of Justice proposes to align the Privacy Commissioner’s order-making powers with those of the Information Commissioner. This would indeed be central to achieving balance between access and privacy.

Until such time that the balance of powers is restored, the amendments we proposed to Bill C-58 calling for consultation with OPC in some circumstances, is a compromise. We recently entered into a Memorandum of Understanding with OIC and trust it will result in consultations on critical concepts. The intent was to establish a list of circumstances where a consultation between the OIC and the OPC should occur to ensure there is adequate consideration of privacy rights. To ensure this is balanced and reasonable from an operational perspective, we have agreed to focus on a set of challenging questions where there may be diverging views.

We have agreed that the circumstances that may warrant a consultation between the OIC and the OPC include questions around the following:

1. Whether the public interest in disclosure clearly outweighs any invasion of privacy that could result from the disclosure of personal information;
2. Whether metadata constitutes personal information;
3. Where the “mosaic effect” has been invoked to protect information under section 19 of the Act;
4. When an institution claims that de-identification or anonymization techniques have been applied such that information is said to no longer be personal;
5. whether the personal information that has been protected is publicly available.

It is these types of circumstances where the digital era is presenting novel challenges and tensions between the right of access and privacy, we believe it is essential that the Privacy Commissioner play a central role in advising on the interpretation of privacy rights, including the protection to be given to personal information.

Recommendations:

• The interplay between the concepts relevant to both access and privacy law should indeed be carefully examined in this upcoming review of both the ATIA and the review of the Privacy Act. However we strongly recommend that any proposed amendments to concepts that are pillars of the Privacy Act, and specifically those implicating interpretations of privacy or the protection of personal information, should be addressed under the Privacy Act.
• In drafting any new legislation, the tensions created by the digital age on the interpretation of concepts relevant to both access and privacy law should also be carefully considered. Along these lines, we recommend:
  • ‘Personal information’ should be given a broad and expansive interpretation, and the concept of “identifiability” should be as set out by the Federal Court in Gordon v. Canada, and should be applied contextually. While we believe the test set out in Gordon is relevant in the digital age, we are open to the potential for further clarity, provided that it contributes to Gordon in a way that ensures consistent application to better protect individual privacy;
  • Interpreting what is ‘publicly available’ as it relates to personal information should be a contextual assessment, with due consideration for the reasonable expectation of privacy, accessibility of information, including with new technologies;
  • Any amendments proposed to include new assessment criteria governing public interest disclosures for personal information should be made under the Privacy Act, and should maintain the basic tenet that the public interest must clearly outweigh any invasion of privacy that could result from disclosure.
• The upcoming review of the ATIA should give due consideration to the impacts of any proposed amendments on the interpretation or application of the Privacy Act, and any consequential amendments that may be necessary.

4) Exemptions and scope of application of the ATIA and Privacy Act

This upcoming review of the ATIA, and ongoing review of the Privacy Act is indeed a good opportunity to examine the issues that lie at the intersection of both the ATIA and the Privacy Act, including corresponding exemption and exclusion provisions and the scope of both Acts. We note that with respect to exemptions and exclusions the Department of Justice has signalled that these aspects of the Privacy Act will benefit from the input received during the government’s review of the ATIA, and will be reviewed in more detail at a later date. We will certainly be interested in engaging in further discussions on any specific proposals to amend exemption and exclusion provisions that have matching provisions in the Privacy Act, or on the exemption for personal information under section 19 of the ATIA. We strongly recommend that corresponding provisions of the ATIA and Privacy Act be addressed through concurrent amendments, including on both shared exemptions and shared interpretations, which is fundamental to both Acts being read as seamless code of information rights.

As well, in support of the objective of greater openness and transparency, the government should consider extending the scope of both the ATIA and the Privacy Act to encompass other bodies including ministers’ offices and the Prime Minister’s office, thereby extending Canadians’ right of access to information, including their own personal information, regardless of where it is held within government.^{Footnote 28}

A case we recently reported in our Annual Report 2019-2020 demonstrates the significance of the issue. The complaint was filed by a member of Parliament concerning an alleged privacy breach relating to a recommendation for nomination of a candidate to the Supreme Court of Canada. The complainant specifically requested that we investigate the roles of the Privy Council Office (PCO), the Department of Justice, the Office of the Commissioner of Federal Judicial Affairs (CFJA), and the Office of the Prime Minister of Canada (PMO). However, our jurisdiction under the Act does not extend to the information handling practices of either the CFJA or the PMO. We therefore focused our investigation on the PCO and the Department of Justice.

While we did not find a contravention of the Act by the government institutions that fall under our jurisdiction, it is clear that a candidate’s privacy was compromised and negatively impacted by the disclosure of his personal information relating to the Supreme Court application and nomination process.

In our view, this case highlights significant gaps in the coverage of the Privacy Act, and by extension, the ATIA as well.

Recommendations:

• Corresponding exemptions and exclusions in the ATIA and the Privacy Act should be amended concurrently.
• Treasury Board of Canada Secretariat (TBS) should seek feedback during its public consultation on the issue of extending coverage of the ATIA, and by necessity the extension of the Privacy Act, and thereby expanding Canadians’ right of access to information, including their own personal information, regardless of where it is held within government.
• We recommend the ATIA and Privacy Act both be amended to extend coverage to all government institutions, including ministers’ offices and the Prime Minister’s office.

5) ATIA and OPC Compliance Activities

As an institution subject to the ATIA, we have recommendations to share based on our experiences with requests for information related to our compliance activities.

Over the past several years, new requirements for breach reporting, an authority to enter into compliance agreements under the Personal Information and Electronic Documents Act (PIPEDA) and an expanding volume and complexity of complaints, have all contributed to an increase in compliance activities that occur outside the context of formal investigations. For example, under the new requirements for mandatory breach reporting, we often have extensive exchanges with both public and private-sector organizations following the receipt of a breach report, where we seek resolution of issues on a voluntary basis without having to resort to a formal investigation. As well, some of our investigations result in comprehensive compliance agreements or other commitments from organizations to correct their practices that require ongoing follow-up post-investigation. These types of activities have created circumstances where some of the information obtained in the course of our compliance activities is not clearly covered by section 16.1 or subsection 24(1) of the ATIA, which respectively exempt from disclosure information obtained “in the course of an investigation or audit” or information “contained in” PIPEDA breach reports or records. The language “in the course of an investigation” is a particular element of the current exemption under section 16.1 that poses challenges since it no longer accurately reflects the range of all of our compliance activities.

The OPC’s compliance activities rely heavily on open exchanges by both public and private-sector organizations of often highly sensitive information. Subject to certain exceptions, the OPC is generally required to maintain the confidentiality of information that comes to the OPC’s knowledge in the course of duties and functions under the Privacy Act and PIPEDA. This helps instill trust, fosters cooperation, and encourages an open dialogue with the institutions and organizations we deal with as part of our mandate.

However, our confidentiality requirements may not always extend to information under the ATIA. The challenge we have experienced is that organizations have been increasingly reluctant to engage with our Office due to concerns over the possibility that certain information may be disclosed under the ATIA. This reluctance has a direct impact on our Office’s ability to continue to achieve a high level of compliance through informal means. These informal exchanges are critically important to our ability to accomplish our mandate efficiently and effectively without the need to always resort to a formal investigation, while also ensuring that organizations are implementing appropriate measures to protect Canadians’ personal information. When organizations are reluctant to provide information due to concerns over the possibility that certain information may be disclosed under the ATIA, it diminishes the value of these exchanges and the benefits of efficient and effective oversight for Canadians.

In our view, in light of the underlying intent of the existing exemptions that apply to OPC activities, it would be reasonable to extend them to other compliance activities that are not necessarily limited to an investigation. While information related to these activities may be subject to other exemptions in the ATIA, updating the exemptions applicable to the OPC to expressly encompass a broader range of OPC compliance related activities would have the benefit of adding clarity for organizations who provide information to the OPC, and would allow the OPC to fulfill its mandate more effectively.

Recommendation:

• As part of the upcoming review of the ATIA, we recommend that consideration be given to the language of the exemptions applicable to OPC’s operational activities. This would provide greater certainty and better reflect the realities and range of our compliance-related activities. We would be happy to provide further clarity on this issue and engage further on any specific amendments that may be appropriate.

Conclusion

In closing, it is important to emphasize that it should be possible to have greater access to the information held by government without infringing the privacy rights of Canadians. Open government and increased transparency remain critical areas for government reform and Canadians certainly deserve both an open government and respect for their privacy rights. I note that this review is still at an early stage and as such I am open to engaging in further discussions on the above, or any other matters related to privacy, as you progress with your review of the ATIA. Thank you for the opportunity to provide my input into this important process.

Sincerely,

c.c.: Ms. Caroline Maynard
Information Commissioner of Canada